feat: maxcompute column level masking policy (#80)

feat: implemented column level masking policy instead of table level

Author: Mayurjag

plugins/extractors/maxcompute/client/client.go

@@ -11,6 +11,11 @@ import (
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
+type (
+	Column = string
+	Policy = string
+)
+
 type Client struct {
 	client  *odps.Odps
 	project *odps.Project
@@ -121,22 +126,18 @@ func (c *Client) GetTablePreview(_ context.Context, partitionValue string, table
 	return columnNames, protoList, nil
 }
 
-func (*Client) GetMaskingPolicies(table *odps.Table) (maskingPolicies []string, err error) {
+func (*Client) GetMaskingPolicies(table *odps.Table) (maskingPolicies map[Column][]Policy, err error) {
 	columnMaskInfos, err := table.ColumnMaskInfos()
 	if err != nil {
 		return nil, err
 	}
 
-	policySet := make(map[string]struct{})
+	maskingPolicies = make(map[string][]string)
 	for _, columnMaskInfo := range columnMaskInfos {
-		for _, policyName := range columnMaskInfo.PolicyNameList {
-			policySet[policyName] = struct{}{}
+		if len(columnMaskInfo.PolicyNameList) > 0 {
+			maskingPolicies[columnMaskInfo.Name] = columnMaskInfo.PolicyNameList
 		}
 	}
 
-	for policyName := range policySet {
-		maskingPolicies = append(maskingPolicies, policyName)
-	}
-
 	return maskingPolicies, nil
 }

plugins/extractors/maxcompute/maxcompute.go

@@ -27,7 +27,16 @@ import (
 )
 
 const (
-	maxcomputeService = "maxcompute"
+	maxcomputeService             = "maxcompute"
+	attributesDataSQL             = "sql"
+	attributesDataMaskingPolicy   = "masking_policy"
+	attributesDataProjectName     = "project_name"
+	attributesDataSchema          = "schema"
+	attributesDataType            = "type"
+	attributesDataResourceURL     = "resource_url"
+	attributesDataPartitionFields = "partition_fields"
+	attributesDataLabel           = "label"
+	attributesDataResourceType    = "resource_type"
 )
 
 type Extractor struct {
@@ -80,7 +89,7 @@ type Client interface {
 	ListTable(ctx context.Context, schemaName string) ([]*odps.Table, error)
 	GetTableSchema(ctx context.Context, table *odps.Table) (string, *tableschema.TableSchema, error)
 	GetTablePreview(ctx context.Context, partitionValue string, table *odps.Table, maxRows int) ([]string, *structpb.ListValue, error)
-	GetMaskingPolicies(table *odps.Table) ([]string, error)
+	GetMaskingPolicies(table *odps.Table) (map[client.Column][]client.Policy, error)
 }
 
 func New(logger log.Logger, clientFunc NewClientFunc, randFn randFn) *Extractor {
@@ -217,7 +226,7 @@ func (e *Extractor) buildAsset(ctx context.Context, schema *odps.Schema,
 
 	if tableType == config.TableTypeView {
 		query := tableSchema.ViewText
-		tableAttributesData["sql"] = query
+		tableAttributesData[attributesDataSQL] = query
 		if e.config.BuildViewLineage {
 			upstreamResources := getUpstreamResources(query)
 			asset.Lineage = &v1beta2.Lineage{
@@ -226,6 +235,11 @@ func (e *Extractor) buildAsset(ctx context.Context, schema *odps.Schema,
 		}
 	}
 
+	maskingPolicy, err := e.client.GetMaskingPolicies(table)
+	if err != nil {
+		e.logger.Warn("error getting masking policy", "error", err)
+	}
+
 	var columns []*v1beta2.Column
 	for i, col := range tableSchema.Columns {
 		columnData := &v1beta2.Column{
@@ -236,6 +250,19 @@ func (e *Extractor) buildAsset(ctx context.Context, schema *odps.Schema,
 			Attributes:  utils.TryParseMapToProto(buildColumnAttributesData(&tableSchema.Columns[i])),
 			Columns:     buildColumns(col.Type),
 		}
+
+		if policies, found := maskingPolicy[col.Name]; found {
+			policyValues := make([]*structpb.Value, 0, len(policies))
+			for _, policy := range policies {
+				policyValues = append(policyValues, structpb.NewStringValue(policy))
+			}
+			columnData.Attributes.Fields[attributesDataMaskingPolicy] = &structpb.Value{
+				Kind: &structpb.Value_ListValue{
+					ListValue: &structpb.ListValue{Values: policyValues},
+				},
+			}
+		}
+
 		columns = append(columns, columnData)
 	}
 
@@ -302,15 +329,15 @@ func buildColumns(dataType datatype.DataType) []*v1beta2.Column {
 func (e *Extractor) buildTableAttributesData(schemaName, tableType string, table *odps.Table, tableInfo *tableschema.TableSchema) map[string]interface{} {
 	attributesData := map[string]interface{}{}
 
-	attributesData["project_name"] = e.config.ProjectName
-	attributesData["schema"] = schemaName
-	attributesData["type"] = tableType
+	attributesData[attributesDataProjectName] = e.config.ProjectName
+	attributesData[attributesDataSchema] = schemaName
+	attributesData[attributesDataType] = tableType
 
 	rb := common.ResourceBuilder{ProjectName: e.config.ProjectName}
-	attributesData["resource_url"] = rb.Table(schemaName, tableInfo.TableName)
+	attributesData[attributesDataResourceURL] = rb.Table(schemaName, tableInfo.TableName)
 
 	if tableInfo.ViewText != "" {
-		attributesData["sql"] = tableInfo.ViewText
+		attributesData[attributesDataSQL] = tableInfo.ViewText
 	}
 
 	var partitionNames []interface{}
@@ -319,18 +346,8 @@ func (e *Extractor) buildTableAttributesData(schemaName, tableType string, table
 		for i, column := range tableInfo.PartitionColumns {
 			partitionNames[i] = column.Name
 		}
-		attributesData["partition_fields"] = partitionNames
-	}
-
-	maskingPolicy, err := e.client.GetMaskingPolicies(table)
-	if err != nil {
-		e.logger.Warn("error getting masking policy", "error", err)
-	}
-	maskingPolicyInterface := make([]interface{}, len(maskingPolicy))
-	for i, policy := range maskingPolicy {
-		maskingPolicyInterface[i] = policy
+		attributesData[attributesDataPartitionFields] = partitionNames
 	}
-	attributesData["masking_policy"] = maskingPolicyInterface
 
 	return attributesData
 }
@@ -343,7 +360,7 @@ func buildColumnAttributesData(column *tableschema.Column) map[string]interface{
 	}
 
 	if column.Label != "" {
-		attributesData["label"] = column.Label
+		attributesData[attributesDataLabel] = column.Label
 	}
 
 	return attributesData

plugins/extractors/maxcompute/maxcompute_test.go

@@ -216,7 +216,10 @@ func TestExtract(t *testing.T) {
 				},
 				nil,
 			)
-			mockClient.EXPECT().GetMaskingPolicies(mock.Anything).Return([]string{"policyTag1", "policyTag2", "policyTag3"}, nil)
+			mockClient.EXPECT().GetMaskingPolicies(mock.Anything).Return(map[string][]string{
+				"user_id": {"policyTag1"},
+				"email":   {"policyTag2", "policyTag3"},
+			}, nil)
 		}, nil)
 
 		assert.Nil(t, err)
@@ -267,7 +270,7 @@ func TestExtract(t *testing.T) {
 				},
 				nil,
 			)
-			mockClient.EXPECT().GetMaskingPolicies(mock.Anything).Return([]string{}, nil)
+			mockClient.EXPECT().GetMaskingPolicies(mock.Anything).Return(map[string][]string{}, nil)
 		}, nil)
 
 		assert.Nil(t, err)
@@ -293,7 +296,7 @@ func TestExtract(t *testing.T) {
 			mockClient.EXPECT().ListSchema(mock.Anything).Return(schema1, nil)
 			mockClient.EXPECT().ListTable(mock.Anything, "my_schema").Return(table1[1:], nil)
 			mockClient.EXPECT().GetTableSchema(mock.Anything, table1[1]).Return("MANAGED_TABLE", schemaMapping[table1[1].Name()], nil)
-			mockClient.EXPECT().GetMaskingPolicies(mock.Anything).Return([]string{}, nil)
+			mockClient.EXPECT().GetMaskingPolicies(mock.Anything).Return(map[string][]string{}, nil)
 		}, nil)
 
 		assert.Nil(t, err)

plugins/extractors/maxcompute/mocks/maxcompute_client_mock.go

@@ -34,7 +34,6 @@
             "preview_fields": [],
             "preview_rows": null,
             "attributes": {
-                "masking_policy": [],
                 "project_name": "test-project-id",
                 "resource_url": "/projects/test-project-id/schemas/my_schema/tables/new_table",
                 "schema": "my_schema",

plugins/extractors/maxcompute/testdata/expected-assets-with-table-exclusion.json

@@ -55,7 +55,6 @@
             "preview_fields": [],
             "preview_rows": null,
             "attributes": {
-                "masking_policy": [],
                 "project_name": "test-project-id",
                 "resource_url": "/projects/test-project-id/schemas/my_schema/tables/dummy_table",
                 "schema": "my_schema",
@@ -129,7 +128,6 @@
                 ]
             ],
             "attributes": {
-                "masking_policy": [],
                 "project_name": "test-project-id",
                 "resource_url": "/projects/test-project-id/schemas/my_schema/tables/new_table",
                 "schema": "my_schema",

plugins/extractors/maxcompute/testdata/expected-assets-with-view-lineage.json

@@ -55,11 +55,6 @@
             "preview_fields": [],
             "preview_rows": null,
             "attributes": {
-                "masking_policy": [
-                    "policyTag1",
-                    "policyTag2",
-                    "policyTag3"
-                ],
                 "project_name": "test-project-id",
                 "resource_url": "/projects/test-project-id/schemas/my_schema/tables/dummy_table",
                 "schema": "my_schema",
@@ -95,7 +90,9 @@
                     "length": "0",
                     "profile": null,
                     "columns": [],
-                    "attributes": {}
+                    "attributes": {
+                        "masking_policy": ["policyTag1"]
+                    }
                 },
                 {
                     "name": "email",
@@ -105,7 +102,9 @@
                     "length": "0",
                     "profile": null,
                     "columns": [],
-                    "attributes": {}
+                    "attributes": {
+                        "masking_policy": ["policyTag2", "policyTag3"]
+                    }
                 }
             ],
             "preview_fields": [
@@ -123,11 +122,6 @@
                 ]
             ],
             "attributes": {
-                "masking_policy": [
-                    "policyTag1",
-                    "policyTag2",
-                    "policyTag3"
-                ],
                 "project_name": "test-project-id",
                 "resource_url": "/projects/test-project-id/schemas/my_schema/tables/new_table",
                 "schema": "my_schema",